Additional Info Needed to Disable CSRF Protection for JSON API Requests #361
Replies: 1 comment 2 replies
-
|
I should probably update that wiki page, because recent versions of Rodauth now disable CSRF protection automatically for JSON requests – jeremyevans/rodauth#449. The |
Beta Was this translation helpful? Give feedback.
-
|
Oh I see. I also just realized I'm on an ancient version of rodauth-rails (1.14.1). Dang! Thank you. |
Beta Was this translation helpful? Give feedback.
-
|
I just updated and can confirm that I no longer need that line in my config. Thanks again, Janko. |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
Hi Janko,
I recently struggled with disabling CSRF protection for requests from a separate React client, and although I'd read through the JSON API wiki, the only thing I found to help, other than completely disabling forgery protection in application.rb, was to do this:
I feel like I'd have had an easier time if the wiki stated that I needed to disable the check from Rodauth's config.
I should mention that my Rails app is NOT in api-only mode and currently has a Hotwire frontend.
Also, skipping the before action like so
skip_before_action :verify_authenticity_token, if: -> { request.format.json? }(with and without the conditional) did not work for me.What do you think?
Beta Was this translation helpful? Give feedback.
All reactions